Safe!hints is our whistleblowing system. Employees, customers, business partners, and others with information can use safe!hints to report suspected violations of laws and internal rules to the internal reporting body. Safe!hints is part of our compliance management system.

Who is the controller responsible for data processing?

The controller responsible for the processing of your personal data (the “organization”) is:

Rottendorf Pharma GmbH, Ostenfelder Str. 51-61, 59320 Ennigerloh, Germany,; represented by Marco Niemann and Erich Scheibner.

 In keeping with our legal obligations, we have appointed a data protection officer. You can contact this person at any time with any questions you may have about data protection and/or privacy. You can reach our data protection officer by mail at the address above, adding “Attn.: Data Protection Officer,” or by e-mail at

 What data are processed?

Using safe!hints is voluntary.

 When violations are reported via safe!hints, personal data (such as name, contact details, photos, matter being reported, etc.) on

· the person making the report (the whistleblower), and

· the person who is the subject of the report (reported person) 

· and the other persons mentioned in the report (such as witnesses and/or third parties)

  that are entered in the relevant report form are processed.

For what purpose and on what legal basis do you process my data?

The data mentioned above are processed for the purpose of detecting and preventing serious abuses and preventing and defending against especially drastic or even existential legal consequences, damage and/or losses that may be incurred by our organization (criminal prosecution, claims for damages, harm to our image, supervisory measures) and/or employees.

The legal basis for processing is a legal obligation pursuant to point (c) of Article 6(1) of the EU General Data Protection Regulation (GDPR) to comply with the specifications of the EU Whistleblower Directive (Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019) and those of the German Whistleblower Protection Act (HinSchG).

 Who receives my data?

Within the scope of the reviews, investigations, and corrective actions that may need to be taken, it may be necessary to share information on a reported incident with external advisors (such as legal counsel) or the government agencies with jurisdiction.

 The infrastructure of the system, including the Web pages and database, is operated by Biehn & Professionals GmbH, Wiesenstr. 32, 33397 Rietberg-Mastholte, Germany, on our behalf in accordance with Article 28 GDPR. This company in turn utilizes the services of a specialized software subcontractor. Biehn & Professionals GmbH is contractually obligated to maintain strict confidentiality and abide by all requirements of data protection and privacy law. Beyond that, our external data protection officer is also subject to a separate statutory obligation of confidentiality.

What are my data protection and privacy rights?

Upon request, you have the right to receive access to information, free of charge, on the personal data concerning you that are stored, the origin and recipient(s) thereof, and the purpose of data processing. Where we process your data on the basis of our legitimate interest, you have the right to object to the processing if there are legitimate grounds relating to your particular situation (right to object). In addition, you have the right to rectification of inaccurate personal data, the right to erasure of personal data, the right to restriction of processing of personal data, and the right to data portability. You can contact us anytime with regard to these rights and/or any further questions you may have on the subject of personal data. Finally, you have the option to lodge a complaint with the supervisory authority if you believe the processing of your data violates data protection or privacy laws or that your claims under these laws have otherwise been violated in any way.

How long are the personal data stored?

Personal data are stored as long as is necessary to investigate the matter and assess it on a final basis or as long as is required by law. After that, these data are erased in keeping with the statutory specifications. Should a report turn out to be unfounded, the report is erased without delay, including the personal data contained therein. Reports are typically erased after six months. A final assessment is stored beyond that for documentation purposes.